Date: Thu, 03 Jul 2014 22:33:13 -0230 From: Jonathan Anderson <jonathan@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <53B5FD51.4050309@FreeBSD.org> In-Reply-To: <20140703221448.GA99094@calvin.ustdmz.roe.ch> References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <53B56F49.7030109@FreeBSD.org> <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com> <20140703221448.GA99094@calvin.ustdmz.roe.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Roethlisberger wrote: > I share your view that there should be functional HTTPS capability in > a base install. I think we're all agreed on that, my point is that the statement "a base install should have a CA bundle by default" does not have to imply "every FreeBSD system must accept a the same CAs". A "base install" is something that's been customized by the installer: we don't all have the same keyboard, we don't all extract a ports tree at install time, so why not make CA bundles part of the install-time customization? Put another way, /etc/ssl and /usr/local/etc/ssl are additive, not subtractive: we can make it easy for users to install whatever CA bundles they like, but if you put a bad CA cert in the base system, I have to manually patch the base system, even in environments where I'd rather use binary releases and freebsd-update. Jon -- Jonathan Anderson jonathan@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53B5FD51.4050309>